OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

by

Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

ios6security
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.

To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

vulnerablebrowser
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

Related Forums: iOS 7, OS X Mavericks

Popular Stories

iOS 26

15 New Things Your iPhone Can Do in iOS 26.2

Friday December 5, 2025 9:40 am PST by
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
Read Full Article51 comments
Intel Inside iPhone Feature

Apple's Return to Intel Rumored to Extend to iPhone

Friday December 5, 2025 10:08 am PST by
Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028....
Read Full Article151 comments
iPhone 14 Pro Dynamic Island

iPhone 18 Pro Leak Adds New Evidence for Under-Display Face ID

Monday December 8, 2025 4:54 am PST by
Apple is actively testing under-screen Face ID for next year's iPhone 18 Pro models using a special "spliced micro-transparent glass" window built into the display, claims a Chinese leaker. According to "Smart Pikachu," a Weibo account that has previously shared accurate supply-chain details on Chinese Android hardware, Apple is testing the special glass as a way to let the TrueDepth...
Read Full Article66 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Monday December 1, 2025 2:40 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article107 comments
Johny Srouji

Apple Chip Chief Johny Srouji Could Be Next to Go as Exodus Continues

Sunday December 7, 2025 10:41 am PST by
Apple's senior vice president of hardware technologies Johny Srouji could be the next leading executive to leave the company amid an alarming exodus of leading employees, Bloomberg's Mark Gurman reports. Srouji apparently recently told CEO Tim Cook that he is "seriously considering leaving" in the near future. He intends to join another company if he departs. Srouji leads Apple's chip design ...
Read Full Article379 comments
iOS 26

Apple Seeds Second iOS 26.2 Release Candidate to Developers and Public Beta Testers

Monday December 8, 2025 10:18 am PST by
Apple today seeded the second release candidate version of iOS 26.2 to developers and public beta testers, with the software coming one week after Apple seeded the first RC. The release candidate represents the final version iOS 26.2 that will be provided to the public if no further bugs are found. Registered developers and public beta testers can download the betas from the Settings app on...
Read Full Article46 comments
top stories 2025 12 04a

Top Stories: iOS 26.2 Coming Soon, Apple Execs Depart, and More

Saturday December 6, 2025 6:00 am PST by
You'd expect things to be starting to wind down for the holidays by now, but that doesn't seem to be the case yet in the world of Apple news, with Apple just about ready to release iOS 26.2 and other operating system updates to the public. There was also a flurry of news this week about Apple executive departures, some expected and some not so expected, while we also learned that Apple and...
Read Full Article8 comments
Johny Srouji

Apple's Chipmaking Chief Johny Srouji Responds to Report About Him Potentially Leaving

Monday December 8, 2025 9:23 am PST by
Apple's chipmaking chief Johny Srouji has reportedly indicated that he plans to continue working for the company for the foreseeable future. "I love my team, and I love my job at Apple, and I don't plan on leaving anytime soon," said Srouji, in a memo obtained by Bloomberg's Mark Gurman. Here is Srouji's full memo, as shared by Bloomberg:I know you've been reading all kind of rumors and...
Read Full Article79 comments
ive and altman

Jony Ive's OpenAI Device Barred From Using 'io' Name

Friday December 5, 2025 6:22 am PST by
A U.S. appeals court has upheld a temporary restraining order that prevents OpenAI and Jony Ive's new hardware venture from using the name "io" for products similar to those planned by AI audio startup iyO, Bloomberg Law reports. iyO sued OpenAI earlier this year after the latter announced its partnership with Ive's new firm, arguing that OpenAI's planned "io" branding was too close to its...
Read Full Article55 comments

Top Rated Comments

Smacky Avatar
Smacky
154 months ago
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.

:apple:
Score: 9 Votes (Like | Disagree)
petsounds Avatar
petsounds
154 months ago
That's why I use Chrome, which gets security updates after every few weeks. :)

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
Score: 7 Votes (Like | Disagree)
sixrom Avatar
sixrom
154 months ago
when are they going to fix this?

The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.

Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.

Microsoft wouldn't allow this to go ignored as long as Apple has.

Here's more:
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/
Score: 6 Votes (Like | Disagree)
pierino84 Avatar
pierino84
154 months ago
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
Score: 6 Votes (Like | Disagree)
lulumink Avatar
lulumink
154 months ago
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
Score: 5 Votes (Like | Disagree)
sracer Avatar
sracer
154 months ago
I guess I needed to read more carefully:

"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."

Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
Score: 5 Votes (Like | Disagree)
Read All Comments